SANS Digital Forensics and Incident Response Blog: Category - Evidence Analysis

Log2timeline Plugin Creation

About a year ago, I needed to add an Apache log to a supertimeline I was working on. I wrote a bash script to do this, as I was not familiar with perl at the time. I later went back and learned some basics of perl and converted it to my first log2tlimeline plugin. Since … Continue reading Log2timeline Plugin Creation


Digital Forensic SIFTing - Mounting Evidence Image Files

This is a series of blog articles that utilize the SIFT Workstation. The free SIFT workstation, can match any modern forensic tool suite, is also directly featured and taught in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). SIFT demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge … Continue reading Digital Forensic SIFTing - Mounting Evidence Image Files


Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?

The Paraben Forensics Innovator's Conference was held last week in Park City, Utah. Your SANS Digital Forensic blogger attended the event, along with over 300 fellow, forensicators and lawyers. With information security events like BlackHat, and DefCon drawing thousands, this is yet another small event that has many advantages over the larger conferences. At these … Continue reading Digital Forensics Case Leads: PFIC 2011 Report, DNS forensics, Massive Flaws in Amazon EC2?


Outlier analysis in digital forensics

In my previous post, Atemporal time line analysis in digital forensics, I talked about using the inodes of a known piece of attacker code as a pivot point to discover previously unknown attacker code on a system. In this post, I want to point out another interesting thing about these inodes. Recall that I'm using … Continue reading Outlier analysis in digital forensics


Atemporal time line analysis in digital forensics

As incident responders we often find that attackers compromise one host in a network and then pivot to others. In digital forensic investigations involving intrusions, we can do our own pivoting from one piece of evidence to another. On October 19th, I had the good fortune to speak at SECTor about one method of doing … Continue reading Atemporal time line analysis in digital forensics